Insurers defend covering ransomware payments

  • Published
lit up laptopImage source, Getty Images

The Association of British Insurers (ABI) has defended the inclusion of ransomware payments in first-party cyber-insurance policies.

It said insurance was "not an alternative" to doing everything possible to first minimise the risk.

However, it added that firms could face financial ruin without the cover.

Prof Ciaran Martin, former head of the National Cyber Security Centre, said the UK needed to rethink its policies on ransomware.

'Funding organised crime'

Ransomware is a form of malware in which infected computers are remotely locked by cyber-criminals, who then demand a ransom, often in the form of Bitcoin, to unlock them and return the data they hold.

There are many examples of businesses and public bodies which have chosen to pay because they do not have the data backed up, or cannot afford - or do not have time - to rebuild their systems from scratch.

The Guardian reported that Prof Martin, now at Oxford University's Blavatnik School of Government, said he believed insurers were "funding organised crime" by accepting ransomware claims, but he told the BBC the issue of how to tackle ransomware was far broader than just the insurance sector.

While official advice is not to pay the demand, it is not illegal to do so in the UK, he said.

"I have some sympathy with insurers, because as long as it's legal, there are incentives to pay."

While the ransom demand may be high, the alternative impact can also be devastating.

When the global aluminium producer Norsk Hydro was attacked in 2019, it cost the firm around £45m, and its profits in the immediate aftermath plummeted by 82%, reported Reuters.

Norsk Hydro refused to pay the demand, which would arguably have been cheaper - but it did have insurance.

A spokesman for the ABI said insurers do require that "reasonable precautions" are taken to prevent cyber-attacks from succeeding in the first place, just as cars and houses require security measures in place to deter thieves.

"Some might argue that any insurance that covers against a criminal act could lull the policyholder into a false sense of security," he said.

Prof Martin said he did not think that banning ransomware insurance claims would necessarily solve the problem.

"But it's worth a serious piece of consultation because if we continue as we are, things will get worse," he said.